Wednesday, August 1, 2012

PPTP is so insecure, it should be considered unencrypted

Security researchers Moxie Marlinspike and David Hulton have presented findings showing the MS-CHAPv2 authentication protocol can be broken with a 100% success rate, and have publicly released the tools for anyone to do so. This protocol is used in WPA2 Enterprise encryption, as well as almost all PPTP VPN implementations. If you're still using a PPTP VPN, be aware that anyone sniffing your traffic can crack it and gain access to your network. The researchers say that PPTP traffic should essentially be considered unencrypted.

The AccessEnforcer has never implemented PPTP, instead giving the administrator the ability to easily deploy CalyptixVPN clients (based on OpenVPN), as well as create secure IPSEC tunnels. Both of these protocols are recommended by the researchers as alternatives.

No comments: